Forum Discussion
NimbostratusiRule to verify request to VIP came via a URL, not an IP
Does anyone know if it's possible to write an iRule to ensure a request to a VIP came from a URL, not an IP.
We have and External VIP (DMZ), whose pool membeer is an Internal VIP (Internal), on separate LTM's. We would like to only allow traffic to the VIP if the request came via a URL, not an IP.
Reason: Port scans would find that 443 is open on our public IP, and F5 could allow access all the way to the inside environment because of this configuration. Ultimately, I'd like to block the access to the VIP unless the request came from https://.domain.com.
Any help or examples of code would be greatly appreciated!
4 Replies
On the front VIP, you could add this iRule:
when HTTP_REQUEST { if { not ([stringtolower [HTTP::host]] ends_with "domain.com") } { reject } }This should work as long as anything "domain.com" is acceptable.
Jason_40733Cirrocumulus
Yes. Something like this might work. Haven't tested it, but the theory is workable I believe.
Data group of allowed DNS hosts used to verify web address. ltm data-group internal /Common/ALLOWEDDNS { records { www.mycompany.com { } www.mycompany.net { } www.mycompany.org { } } type string }
iRule ltm rule /Common/RULE_NOIPS { when HTTP_REQUEST { if {[matchclass [HTTP::host] equals $::ALLOWEDDNS]} { pool MYWEBPOOL } else { reject } } }
- logic is sound, but unless the original requestor is on v9, you should avoid matchclass and instead use the class command.
- Jason_40733Good tip. Much appreciated.
